Re: [mod-security-users] can't seem to get notification working...
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] can't seem to get notification working...
|
From: Mark <ad...@as...> - 2004-04-04 11:04:54
|
Jeremy Hansen wrote:
>>> So yes...this actually leads to something:
>>>
>>> [2004-04-03 10:23:15]: error: invalid command
>>> (/usr/webservers/httpd/conf/report-attack.sh)
>>>
>>> but I'm not sure exactly what it means by invalid command.
>>
>> So looking at the code:
>>
>> if ((cmd[0] == '/') || (!strncmp(cmd, "../", 3))
>> || (strstr(cmd, "/../") != NULL)) {
>> log_err("error: invalid command (%s)\n", cmd);
>> exit(104);
>> }
>>
>> so, because the line starts with a /, suexec says it's an invalid
>> command. What's the work around for this?
>
> So the only way I could get this to work is to comment the above code
> and recompile suexec. Obviously this is probably a bad idea but I
> just did it to prove the point.
>
> Any ideas on how to make this work without hacking suexec?
Personally, I would just get rid of suEXEC altogether. suEXEC requires that
the directory of your program be within the Apache webspace. And in my
experience (and yours, it seems), scripts like the one above are exactly
what you do NOT want in the web-tree. But apart from that,
Why not just hardlink (not symlink!) to it, from with your web-root space?
Then in, say,
/usr/webservers/httpd/vhosts/myhost/htdocs/
You would do:
"ln /usr/webservers/httpd/conf/report-attack.sh report-attack.sh"
So you can run a relative call to report-attack.sh, from within the Apache
webspace. Not pretty, perhaps; but it might do the trick.
P.S. I am myself rather charmed with mod_security's SecChrootDir command, as
it makes chrooting Apache rather trivial. Do that, and the need for using
suEXEC may subside even more.
Cheers,
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
